36.1 Understanding Oracle Mobile Authenticator Configuration

The Oracle Mobile Authenticator (OMA) app can retrieve a secret key required to generate a OTP or register with Access Manager to receive push notifications.

Provisioning the secret key can be done online or offline however registering for push notifications can only be done while online.

Note:

For details on the secret key, see Generating a Secret Key for the Oracle Mobile Authenticator.

  • Online Configuration uses the REST web services and the Mobile OAuth Services described in Generating a Secret Key for the Oracle Mobile Authenticator and Configuring Mobile OAuth Services to Protect a Secret Key. Once enabled, the OMA app can invoke this service to get a secret key or register for push notifications. To invoke the REST web services, OMA needs to know its location URL. In this case, the Oracle Access Management administrator creates a web page to configure the OMA. When the user taps on the web page's link (provided via e-mail), it launches the OMA, passes the location URL to the app and the REST web services location is configured. The format of the location URL is as follows.

    oraclemobileauthenticator://settings?ServiceName::=<name_of_service>
&ServiceType::=SharedSecret/Notification/Both&
SharedSecretAuthServerType::=HTTPBasicAuthentication/OAuthAuthentication 
&LoginURL::=http://<host>:<port>/secretKeyURL
&NotificationAuthServerType::= HTTPBasicAuthentication
&PushPreferencesEndpoint::=http://<host>:<port>/preferencesURL
&ChallengeAnswerEndpoint::=http://<host>:<port>/challengeAnswerURL
&SenderID::=<senderID>
&OAuthClientID::=<clientID>
&OAMOAuthServiceEndpoint::=http://<host>:<port>/oauthserviceURL
&OAuthScope::=<OAuthScope>

    Table 36-1 documents definitions for the location URL parameters.

    Table 36-1 Location URL Parameter Definitions

    Parameter Definition

    ServiceName

    Name of the service. This name should be unique in OMA. If another configuration with same name is sent then it will prompt the user to overwrite the previous one

    ServiceType

    The type of service provided by this configuration i.e. one-time password, notification or a hybrid service which combines both one-time password and notification. Value can be SharedSecret, Notification or Both.

    SharedSecretAuthServerType

    The type of authentication by which shared secret provisioning REST endpoint is protected. Value can be HTTPBasicAuthentication or OAuthAuthentication.

    LoginURL

    The REST endpoint that provisions the shared secret for generating one-time passwords. The value specified for the LoginURL query parameter is based on the OAuth settings for Oracle Mobile Authenticator.

    NotificationAuthServerType

    The type of authentication by which notification registration endpoint is protected. Currently only HTTP basic authentication is supported thus the value is HTTPBasicAuthentication.

    PushPreferencesEndpoint

    The REST endpoint where push notification preferences should be sent.

    ChallengeAnswerEndpoint

    The REST endpoint where push notification responses should be sent.

    SenderID

    The Android sender ID for sending push notifications. The SenderID is only required on Android; it is not required when using iOS.

    OAuthClientID

    OAuth client ID if SharedSecretAuthServerType is set for OAuth

    OAMOAuthServiceEndpoint

    OAM OAuth service endpoint to get OAuth profiles available on the server.

    OAuthScope

    The OAuth scope required to access the shared secret.

    Online configuration details are also documented in Configuring the Oracle Mobile Authenticator for iOS and Configuring the Oracle Mobile Authenticator for Android. OAuth configuration details are in Configuring OAuth Services.

    Note:

    Oracle recommends using online configuration.

  • Offline Configuration supports use cases in which the mobile device can not connect to the REST end point or the parameters needed to generate the OTP are different than the defaults. The Access Manager administrator sets up a web application which allows the user to generate or recreate a secret key. The user logs into this web application and, after authentication, the user is allowed to view the secret key and enter it in the OMA app manually. The secret key can also be delivered via an offline configuration URL so the administrator has the option of changing the OTP generation parameters (time step, hashing algorithm and the like). The format of the offline configuration URL is:

    oraclemobileauthenticator://settings?SharedSecretValue::=<secret_key>
&AccountName::=<username>&SharedSecretEncoding::=Base32/Base64String
&OTPAlgorithm::=TOTP
&HashingAlgorithm::=MD5/SHA-1/SHA-224/SHA-256/SHA-384/SHA-512
&OTPLength::=<lenght_of_OTP>&TimeStep::=<time_in_seconds>

    Table 36-2 contains details regarding the parameters.

    Table 36-2 Offline Configuration URL Parameters

    Parameter Description

    SharedSecretValue

    Mandatory value is the secret key

    AcountName

    Prompts the user for input if omitted

    SharedSecretEncoding

    Default is Base32

    OTPAlgorithm

    Default is TOTP

    Hashing Algorithm

    Default is SHA-1

    OTPLength

    Default is 6

    TimeStep

    Default is 30 sec

    Offline configuration details are also documented in Configuring Oracle Mobile Authenticator for Offline OTP Generation on iOS and Configuring Oracle Mobile Authenticator for Offline OTP Generation on Android.